Paul Reynolds outlines three steps resellers should take to ensure they are ready to support their customers when GDPR comes into force
Security breaches will be front of mind for all organisations this year, especially as data breaches hit an all-time high in 2016, up 40% on the previous year. No sector is safe – organisations across the board, including Vodafone, Tesco Bank and DCNS, have been affected, and it’s irresponsible to assume that you or one of your partners won’t be hit in the future.
Next year organisations will have more to worry about when the EU General Data Protection Regulation (GDPR) comes into force. This makes organisations accountable for the security of their customer data – any breach and they could be facing fines of up to €20 million or 4% of their global turnover, whichever is greater. If the Tesco Bank hack from last November occurred on or after May 25, 2018, it could have attracted fines of up to £1.9 billion.
The wider repercussion of GDPR is that it will change the way businesses work with one another and how they use technology — regardless of sector or customer base. Channel partners that play a critical role in advising their customers on technology investments need to be proactive and informed to ensure that both they and their customers are prepared.
So, what can you do to ensure that you are GDPR-ready? Below I have outlined three steps that provide a good starting point:
1 Learn about the regulation and evaluate data access and users.
Before GDPR, customer data protection laws hadn’t changed since 1995, back when there were very few mobile phones and portable computers and no tablets, smartphones or USBs. As a result, legislation at the time didn’t cover data held by these technologies. With GDPR imminent, you must anticipate that the way you interact with your business technologies will change.
Do your due diligence and learn about how the regulation applies to the way you operate your business. A good place to start is the ICO’s resource page for GDPR, which is regularly updated. Ensure that you understand the details around data portability, accountability, governance and the requirements for data protection officers. This knowledge will help you pinpoint which technology touchpoints, data access and user permissions you will need to investigate further.
Having a thorough understanding of GDPR, its requirements and sanctions will give you the background knowledge needed to progress successfully through the other steps, to evaluate your current data protection framework and to give your customers well informed advice.
2 Outline and adopt a plan for data processing and protection.
Once you have a better understanding of GDPR, you can pinpoint where you need to invest in new technology, partners and relevant hires (e.g. data protection officers) in order to be compliant. You will need to put in place a timeline for when new structural or internal regulatory changes
A large part of becoming GDPR-compliant is the adoption of data encryption strategies and tools to protect your customers’ data. One of the biggest blind spots for organisations are breaches caused by missing hardware, such as laptops. Employees who store and transport sensitive customer data on unencrypted laptops can cause costly information leaks and security breaches should the laptops get into the wrong hands.
Secure hardware-based encryption is key and a stark contrast to the no encryption or software-based encryption approach that was previously used by organisations. To comply with the regulation, it’s important to protect all information stored on corporate devices at the hardware level. One of the easiest ways to do this is to replace vulnerable hard drives (which offer little or low-grade encryption) with faster and more secure solid state drives (SSDs) that are better able to protect sensitive data against hacks, loss and theft by encrypting the data directly on the SSD.
Planning and executing a robust strategy to ensure you are GDPR-compliant will set a positive example for your customers and could highlight where they themselves face challenges and opportunities.
3 Inform and educate employees and customers
Throughout the process, you must be transparent with employees and customers and make them aware that you are taking steps to become GDPR-compliant. The deployment of new regulations or technology will not be a success unless everyone in the organisation is aware of the changes and how they are affected by them.
In doing this, you will begin to create a new corporate culture that values data security and protection. At the same time, informing customers about your GDPR strategies will help initiate conversations about how they can meet their requirements.
Huge regulatory shifts like GDPR can present opportunities to re-evaluate your and your customers’ applications, architecture, security procedures and more. Investing time to become more knowledgeable about GDPR and going through the process of devising and implementing a compliance strategy of your own will make you a more valuable partner to your customers.
Paul Reynolds is North Europe Manager at memory and storage specialist Crucial.